FOR578: Cyber Threat Intelligence

Iíve been studying and working in the intelligence field for almost 10 years and it amazes me the amount of things that I still have to learn ad how the field evolves. The instructor does a great job at pulling out the key concepts while still bringing in new and relevant content.

Lauren Jones, Mass Mutual

This course is terrific! Class discussion and relevant case studies are extremely helpful for better understanding the content.

Every security practitioner should attend the FOR578: Cyber Threat Intelligence course . This course is unlike any other technical training you have experienced. It focuses on structured analysis in order to establish a solid foundation for any security skillset and to amplify existing skills. The course will help practitioners from across the security spectrum to:

Establish structured analytical techniques to be successful in any security role

It is common for security practitioners to call themselves analysts. But how many of us have taken structured analysis training instead of simply attending technical training? Both are important, but very rarely do analysts focus on training on analytical ways of thinking. This course exposes analysts to new mindsets, methodologies, and techniques that will complement their existing knowledge as well as establish new best practices for their security teams. Proper analysis skills are key to the complex world that defenders are exposed to on a daily basis.

The analysis of an adversary's intent, opportunity, and capability to do harm is known as cyber threat intelligence. Intelligence is not a data feed, nor is it something that comes from a tool. Intelligence is actionable information that answers a key knowledge gap, pain point, or requirement of an organization. This collection, classification, and exploitation of knowledge about adversaries gives defenders an upper hand against adversaries and forces defenders to learn and evolve with each subsequent intrusion they face.

Cyber threat intelligence thus represents a force multiplier for organizations looking to establish or update their response and detection programs to deal with increasingly sophisticated threats. Malware is an adversary's tool, but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders.

Knowledge about the adversary is core to all security teams. The red team needs to understand adversaries' methods in order to emulate their tradecraft. The Security Operations Center needs to know how to prioritize intrusions and quickly deal with those that need immediate attention. The incident response team needs actionable information on how to quickly scope and respond to targeted intrusions. The vulnerability management group needs to understand which vulnerabilities matter most for prioritization and the risk that each one presents. The threat hunting team needs to understand adversary behaviors to search out new threats.

In other words, cyber threat intelligence informs all security practices that deal with adversaries. FOR578: Cyber Threat Intelligence will equip you, your security team, and your organization in the tactical, operational, and strategic level cyber threat intelligence skills and tradecraft required to better understand the evolving threat landscape and to accurately and effectively counter those threats.

Course Syllabus

FOR578.1: Cyber Threat Intelligence and Requirements

Overview

Cyber threat intelligence is a rapidly growing field. However, intelligence was a profession long before the word "cyber" entered the lexicon. Understanding the key points regarding intelligence terminology, tradecraft, and impact is vital to understanding and using cyber threat intelligence. This section introduces students to the most important concepts of intelligence, analysis tradecraft, and levels of threat intelligence, and the value they can add to organizations. It also focuses on getting your intelligence program off to the right start with planning, direction, and the generation of intelligence requirements. As with all sections, the day includes immersive hands-on labs to ensure that students have the ability to turn theory into practice.

Exercises

Using Structured Analytical Techniques

Consuming Along the Sliding Scale

Enriching and Understanding Limitations

Strategic Threat Modeling

CPE/CMU Credits: 6

Topics

Case-Study: Carbanak, "The Great Bank Robbery"

Understanding Intelligence

Intelligence Lexicon and Definitions

Traditional Intelligence Cycle

Sherman Kent and Intelligence Tradecraft

Structured Analytical Techniques

Understanding Cyber Threat Intelligence

Defining Threats

Understanding Risk

Cyber Threat Intelligence and Its Role

Expectation of Organizations and Analysts

Four Methods of Threat Detection

Threat Intelligence Consumption

Sliding Scale of Cybersecurity

Consuming Intelligence for Different Goals

Enabling Other Teams with Intelligence

Positioning the Team to Generate Intelligence

Building an Intelligence Team

Positioning the Team in the Organization

Prerequisites for Intelligence Generation

Planning and Direction (Developing Requirements)

Intelligence Requirements

Priority Intelligence Requirements

Beginning the Intelligence Lifecycle

Threat Modeling

FOR578.2: The Fundamental Skillset: Intrusion Analysis

Overview

Intrusion analysis is at the heart of threat intelligence. It is a fundamental skillset for any security practitioner who wants to use a more complete approach to addressing security. Two of the most commonly used models for assessing adversary intrusions are the "kill chain" and the "Diamond Model". These models serve as a framework and structured scheme for analyzing intrusions and extracting patterns such as adversary behaviors and malicious indicators. In this section students will participate in and be walked through multi-phase intrusions from initial notification of adversary activity to the completion of analysis of the event. The section also highlights the importance of this process in terms of structuring and defining adversary campaigns.

Exercises

Using Structured Analytical Techniques

Consuming Along the Sliding Scale

Enriching and Understanding Limitations

Strategic Threat Modeling

CPE/CMU Credits: 6

Topics

Primary Collection Source: Intrusion Analysis

Intrusion Analysis as a Core Skillset

Methods to Performing Intrusion Analysis

Intrusion Kill Chain

Kill Chain Courses of Action

Passively Discovering Activity in Historical Data and Logs

Detecting Future Threat Actions and Capabilities

Denying Access to Threats

Delaying and Degrading Adversary Tactics and Malware

Kill Chain Deep Dive

Scenario Introduction

Notification of Malicious Activity

Pivoting Off of a Single Indicator to Discover Adversary Activity

Identifying and Categorizing Malicious Actions

Using Network and Host-Based Data

Interacting with Incident Response Teams

Interacting with Malware Reverse Engineers

Effectively Leveraging Requests for Information

Handling Multiple Kill Chains

Identifying Different Simultaneous Intrusions

Managing and Constructing Multiple Kill Chains

Linking Related Intrusions

Collection Source: Malware

Data from Malware Analysis

Key Data Types to Analyze and Pivot On

VirusTotal and Malware Parsers

Identifying Intrusion Patterns and Key Indicators

FOR578.3: Collection Sources

Overview

Cyber Threat Intelligence analysts must be able to interrogate and fully understand their collection sources. Analysts do not have to be malware reverse engineers as an example but they must at least understand that work and know what data can be sought. This section continues from the previous one in identifying key collection sources for analysts. There is also a lot of available information on what is commonly referred to as open-source intelligence (OSINT). In this section students will learn to seek and exploit information from Domains, External Datasets, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Certificates, and more while also structuring the data to be exploited for purposes of sharing internally and externally.

Exercises

Open-Source Intelligence and Domain Pivoting in DomainTools

Maltego Pivoting and Open-Source Intelligence

Sifting Through Massive Amounts of Open-Source Intelligence in RecordedFuture

FOR578.4: Analysis and Dissemination of Intelligence

Overview

Many organizations seek to share intelligence but often fail to understand its value, its limitations, and the right formats to choose for each audience. Additionally, indicator and information shared without analysis is not intelligence. Structured analytical techniques such as the Analysis of Competing Hypotheses can help add considerable value to intelligence before it is disseminated. This section will focus on identifying both open-source and professional tools that are available for students as well as on sharing standards for each level of cyber threat intelligence both internally and externally. Students will learn about YARA and generate YARA rules to help incident responders, security operations personnel, and malware analysts. Students will gain hands-on experience with STIX and understand the CybOX and TAXII frameworks for sharing information between organizations. Finally, the section will focus on building the singular intrusions into campaigns and being able to communicate about those campaigns.

Exercises

Analysis of Competing Hypotheses

Visual Analysis in Maltego

The Rule of 2

YARA Rule Development

STIX Framework IOC Extraction and Development

Building a Campaign Heat Map

CPE/CMU Credits: 6

Topics

Analysis: Exploring Hypotheses

Analysis of Competing Hypotheses

Hypotheses Generation

Understanding and Identifying Knowledge Gaps

Analysis: Building Campaigns

Different Methods of Campaign Correlation

Understanding Perceived Adversary Intentions

Leveraging the Diamond Model for Campaign Analysis

Dissemination: Tactical

Understanding the Audience and Consumer

Threat Data Feeds and Their Limitations

YARA

Advanced YARA Concepts and Examples

Case Study: Sony Attack

Dissemination: Operational

Partners and Collaboration

Government Intelligence Sharing

Traffic Light Protocol Standard

Information Sharing and Analysis Centers

CybOX, STIX, and TAXII

STIX Elements and Projects

TAXII Implementations

Threat Intelligence Metrics

Communicating About Campaigns

Campaign Heat Maps and Tracking Adversaries

FOR578.5: Higher-Order Analysis and Attribution

Overview

A core component of intelligence analysis at any level is the ability to defeat biases and analyze information. The skills required to think critically are exceptionally important and can have an organization-wide or national-level impact. In this section, students will learn about logical fallacies and cognitive biases as well as how to defeat them. They will also learn about nation-state attribution, including when it can be of value and when it is merely a distraction. Students will also learn about nation-state-level attribution from previously identified campaigns and take away a more holistic view of the cyber threat intelligence industry to date. The class will finish with a discussion on consuming threat intelligence and actionable takeaways for students to make significant changes in their organizations once they complete the course.

Additional Information

Laptop Required

!IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!

You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that also can install and run VMware virtualization products.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article provides good instructions for Windows users to determine more about the CPU and OS capabilities.

Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Player 7 or higher versions on your system prior to the start of the class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.

FOR578 SYSTEM HARDWARE REQUIREMENTS:

CPU: 64-bit Intel i5 x64 2.0+ GHz processor or higher based system is mandatory for this class (Important - Please Read: A 64-bit system processor is mandatory.)

RAM: 6 GB of RAM or higher is mandatory for this class (Important - Please Read: 6 GB of RAM or higher is mandatory.)

Host Operating System: Fully patched and updated Windows (7+), Mac OSX (10.10+), or recent version of Linux operating system (released 2014 or later) that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player). Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.

Networking: Wireless 802.11 B, G, N, or AC.

USB 3.0 ports recommended.

Students should have the capability to have Local Administrator Access within their host operating system and BIOS settings.

Federal Agents and Law Enforcement Officials who want to master advanced intrusion investigations and incident response, as well as expand their investigative skills beyond traditional host-based digital forensics.

Technical Managers who are looking to build intelligence teams or leverage intelligence in their organizations building off of their technical skillsets.

SANS Alumni looking to take their analytical skills to the next level.

Prerequisites

FOR578 is a good course for anyone who has had security training or prior experience in the field. Students should be comfortable with using the command line in Linux for a few labs (though a walkthrough is provided) and be familiar with security terminology.

Students who have not taken any of the above courses but have real-world experience or have attended other security training, such as any other SANS class, will be comfortable in the course. New students and veterans will be exposed to new concepts given the unique style of the class focused on analysis training.

Press & Reviews

We are proud that the FOR578: Cyber Threat Intelligence course has been reviewed by many of the leading minds in cyber threat intelligence, providing us with key input and recommendations from commercial, government, and DoD organizations.

FOR578 Technical Reviewers have included:

Chris Anthony, Johns Hopkins University

Rich Barger, ThreatConnect

J. Brett Cunningham, Allsum, LLC

Rick Holland

Robert Huber

Eric Hutchins

Bertha Marasky, Verizon

Kyle Maxwell

Vivek Nakkady

Scott J. Roberts

Ray Strubinger

Adam Vincent, ThreatConnect

Adam Weidemann

"Cyber Threat Intelligence is an entire discipline, not just a feed. This course will propel you along the path to understanding this rapidly maturing field of study." - Bertha Marasky, Verizon

"Threat Intelligence Analysis has been an art for too long, now it can finally become a science at SANS. Mike Cloppert and Robert M. Lee are the industry 'greybeards' who have seen it all. They are the thought leaders who should be shaping practitioners for years to come." - Rich Barger, CIO, ThreatConnect

"This is an awesome course and long overdue. I like the way you have mixed the technical with the intelligence and this is the first time I've seen this done in a meaningful way. Amazing work!" - Rowanne Mackie

"Fantastic class! I love the way the terminology was covered." - Nate DeWitt, eBay

"This training was invaluable. It provided me with insight on how to set up my own intel-driven defense." - Jason Miller, Warner Brothers

"...You walk out different and start seeing everything from a different perspective." - Tok Yee Ching, Quann Singapore PTE LT

"I could take this course 5 times more and get something new each time! So much valuable info to take back to my organization." - Charity Willhoite, Armor Defense, Inc.

"This course gives a very smart and structured approach to CTI, something that the global community has been lacking to date." - John Geary, Citigroup

"I love and learn a lot with the course! Intense but fun, lots of practical-use cases that I can bring back to work and share with my team." - John Perea, KPMG

"This course was invaluable in framing my role as a hunter in the intelligence consumption/generation process." - Christopher Vega, Citigroup

"Stepping into an undeveloped role is very challenging. I feel the topics, materials, and views covered will help me to make expert decisions and aid the industry as a whole." - Drew Maher, Energy Future Holdings

"Best discussion of CTI in a formal way I have found." - Alexander Schraut, Experian

"Only course of its kind, and it is actually good info that I can use on day 1 when I get back to work." - Markis Vines, BB&T

"This course helps you get comfortable using a variety of tools for analysis so you can go back to work and immediately start using them." - Jessica Lee, Leidos

Statements From Our Authors

The author team of Mike Cloppert, Chris Sperry, and Robert M. Lee originally developed FOR578: Cyber Threat Intelligence with the understanding that the community was in need of a single concise collection of tradecraft. Cloppert and Sperry initiated the development of the course with the understanding that their schedules would not permit them to be able to constantly teach it. However, it was through their thought leadership that the class has become what it is today. Their influence on the development of the course remains relevant today, and SANS thanks them for their leadership.

"When considering the value of threat intelligence, most individuals and organizations ask themselves three questions: What is threat intelligence? When am I ready for it? How do I use it? This class answers these questions and more at a critical point in the development of the field of threat intelligence in the wider community. The course will empower analysts of any technical background to think more critically and be prepared to face persistent and focused threats."

- Robert M. Lee

"Threat intelligence is a powerful tool in the hands of a trained analyst. It can provide insight to all levels of a security program, from security analysts responding to tactical threats against the network to executives reporting strategic-level threats to the Board of Directors. This course will give students an understanding of the role of threat intelligence in security operations and how it can be leveraged as a game-changing resource to combat an increasingly sophisticated adversary."

- Rebekah Brown

"Before threat intelligence was a buzzword, it was something we all used to just do as part of incident response. But I'll admit that most of us used to do it badly. Or more accurately, ad hoc at best. We simply lacked structured models for intrusion analysis, campaign tracking, and consistent reporting of threats. Today, we need analysts trained in intelligence analysis techniques ready to perform proper campaign modeling, attribution, and threat analysis. The Cyber Threat Intelligence course teaches students all of that, as well as how to avoid cognitive biases in reporting and the use of the alternative competing hypothesis in intelligence analysis. These are critical skills that most in industry today absolutely lack."

- Jake Williams

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.